Online banking keypad to beat crims: Westpac

By Steven Deare, ZDNet Australia

13 February 2006 02:48 PM

Tags: jennings, online, sign-in, westpac, key-stroke, banking, logging, fraud

Westpac has introduced an on-screen keypad for Internet banking sign-in, in what the bank says is an effort to combat key-stroke logging fraud.

The bank said the new online keypad, which replaces the old sign-in page, would tighten security for its 1.9 million Internet banking customers by removing the use of a keyboard to enter passwords.

Cybercriminals have devised ways of recording keystrokes entered on a Web page, and have in the past used this to capture online banking customers' passwords.

"The online keypad uses special technology to scramble Customer IDs and passwords and prevent those attempting fraud from capturing entered information," said Westpac head of channel and systems management, Paul Jennings.

Westpac claimed to be the first major bank to introduce the initiative, although keypads are already used by other industry players, such as ING.

Jennings said Westpac would continue to investigate further security initiatives for its online banking service.

Talkback (29)
Print
E-mail
Share
- del.icio.us
- Digg
- Reddit
- Slashdot
- StumbleUpon

Talkback 29 comments

Add your opinion

No security from prying eyes. Quinton Dolan -- 13/02/06 (in reply to #120129190)

While this may seem like a good idea from the perspective that compromised machines now have a small amount of added security. This one change has SERIOUSLY REDUCED ones ability to protect their password from anyone who might somehow see them login. There is no way to discretely or quickly type in your password with an onscreen keyboard, unless you are by yourself in a room with no windows.

It is also an unfortunate fact that it is just as easy to track mouse movements as it is key clicks, and there is source code freely available on the internet designed specifically to do it, so it won't be long before this new type of "protection" is easily compromised by those who would benefit from it.

If Westpac is serious about their customers security, what they should do is offer a choice of authentication options, including but not limited to the following:

a) Normal keyboard password entry

It works, and provided you acknowledge the risks it shouldn't be prevented.

b) Client Certificates

Many companies, including Telstra currently use these for client authentication. They are simple to use, secure and aren't subject to traditional password capture attacks.

c) A random or moving on screen keyboard

Much like what Westpac have done but securely.

The keys must either arrange themselves into a random configuration or it must move randomly after each click otherwise a "sniffer" could simply "play back" you mouse movements to determine your authentication details.

d) SecureId tokens.

Westpac already offer this facility for their Business Banking services when transferring large sums of money. It is very simple and when the token and pin a kept separately it is extremely secure. A small fee would no doubt need to be charged for the token itself but I would pay it.

e) Smartcards & Biometrics.

While these require extra hardware and are not very widespread they offer unique advantages in that like the SecurId tokens, when implemented correctly they require interaction with physical items that simply cannot be duplicated by "sniffing" and replaying a previous authentication session.

Unfortunately I think a lot of people are going to have to be burned by online criminals before we start to see any serious efforts into customer security being taken.

All well and good but... Craigos -- 14/02/06

...Then people will result into loading VNC servers or of the like to capture. Obviously it will reduce, but maybe they should look into a password that changes every minute or something. Most keyloggers also gain mouse movements and which windows are loaded. It wouldn't take that long to replay back what's sent...

The security tokens are working well I believe...

Hardly new Anonymous -- 14/02/06

HSBC have already moved on from this 'new' idea and implemented two-factor authentication. It's hardly cutting edge Westpac and more a half-hearted attempt at security.

New? I think not... Anonymous -- 14/02/06

I remember NAB had this ages ago when they first launched their Internet Banking which required a certificate et al.

2001 called Anonymous -- 14/02/06

They want their "new" security idea back.

Everyone else has moved on from this idea, what are Westpac thinking??

It was actually first used by the old Advance Bank Michael Harris -- 14/02/06

Please Westpac, get your facts straight. The first bank to use a Keypad based method for data entry to access an online banking service in Australia was Advance Bank (Before it was swallowed by St George).

And as to the suggestion this provides further security, this is incorrect. As highlighted by someone else it doesn't stop prying eyes.

What I don't understand is that Westpac already uses the RSA SecureID system for portions of their Internet Business Banking platform... why not simply roll this out on the consumer platform negating the need to impliment cumbersome and annoying security methods which actually do nothing to improve security or usability.

Reality of cost benefit to two factor authentication Anonymous -- 07/03/06 (in reply to #120129217)

Let's face facts here people whenever there is internet fraud committed on people's accounts unless the consumer has clearly contributed to the fraud, the banks incur the cost (take the time to read the EFT code of conduct sometime), and in most cases even if the consumer was silly enough to leave their log in details in the open the banks will still absorb the fraud as they don't want the bad publicity.The amounts lost to fraud are significantly less than the costs needed to move all online customers to 2 factor authentication. Quite simply it is cheaper to pay out and incur the fraud than move to 2 factor such as token devices. Say a bank has 2.5M online customers. Now each token costs (at wholesale prices) $100 with a shelf life of 4-6 years (depending on the device & it's battery life) at which stage it would then need to be replaced at further cost you are looking at a minimum of $250M just for the physical devices, let alone the infrastructure costs associated with maintaining these devices. If anyone runs their own business you can see it doesn't make good business sense to outlay this amount of money when in the long term fraud committed via the internet doesn't even reach this level. As for the issue with shoulder surfers seeing your password with online keypads, how stupid are you to do your banking in the open, I mean do you enter your pin at an ATM when people are around, or when you do an EFTPOS transaction?? After all the media reports and communications advising banking customers to not provide their online details via telephone or to confirm them via email people still do. Word to the wise, take responsibility for your own actions, and stop passing the buck. We seem to live in a world where it's everyone else's fault except your own!

It's a step backward Anonymous -- 14/02/06

I agree with the sentiments already expressed in the comments... this is a major step backwards.

- It opens up the way for screen loggers and mouse click loggers, which although not as common as key loggers, they will just become more common if this practice is used more. When at an internet cafe, I would type my password in random order, and copy and paste certain letters from elsewhere on the page, to ensure that nothing could track me. There is now NO way I get get around this, and hence is less secure.

- I often log in to internet banking at work, now I can't unless I look around my shoulder every second to make sure no one is looking. It would be incredibly easy for anyone to remember my six digit limited case insensitive password after seeing it once or twice.

- It now takes me longer to log in to online banking, because I can't click around on a screen as fast as I can type.

I complained to Westpac about all this, and received a response telling me that they consider this more secure, they won't change, and that they consider their six digit case insensitive passwords secure also.

If only they could give us a choice - even make the new signin screen the default, but let Internet savvy users choose the old way.

They shouldn't force their users into a box....

westpac introduce on screen keypad Anonymous -- 16/02/06

HSBC introduced cryptographic RSA keys a few months ago for it's online customers, making it impossible to use the login and password without being in possession of the key. This is security, not an onscreen keypad where people can SEE what you're clicking on!

Westpac Internet Banking Changes John Kewley -- 28/02/06

I agree with the other writes comment about that this change is at the expense of customer privacy. I would like to know how happy Mr.Jennings would be about doing his banking in an internet cafe somewhere outside australia like some of us have to. As a Westpac customer I am not happy and the bank does not want listen to its clients (as usual).

Online banking keypad to beat crims: Westpac Anonymous -- 01/03/06

HSBC give away a Vasco One Time Password token to every internet banking customer. Bendigo Bank offer them for a small fee to customers. Other banks in Australia will be offering the same devices in the next few months. If you're not happy with Westpac then move! I did and congratulations HSBC. I'm now a happy customer at HSBC. I only had a 475k mortgage to move.

Cover your Pin code Ross -- 01/03/06

When i use the ATM i cover the buttons with my hand for security.
If I can't cover the monitor for security from prying eyes, how can I use westpacs services in public, at work or overseas in an internet cafe? I take all normal precautions for computer security - so westpac, this has got to go before I change to HSBC or another institution with no monthly account fees and a better internet service!

I am missing how Westpac finds this secure. Craig S Wright -- 02/03/06

Having both Citibank, Westpac etc for a long while and having spoken to various people I STILL fail to see any gain.

Looking at the page source - no hacking the java is not complied - just script. There is a VERY simple form submission. The keys are mapped -
Table 1 contains numbers ordered from 1 to zero
Table 2 contains letters ordered from A to M
Table 3 contains letters ordered from N to Z
Writing a ***SMALL*** script/trojan to capture the form submission is simple. So they mix it up, they give the mappings.

Eg
"<TD><input type="button" name="M" tabindex="27" alt="M" onclick="act(34, this);" class="key" value=" M "></TD>"
I come back and it is "randomised":
"<TD><input type="button" name="M" tabindex="27" alt="M" onclick="act(18, this);" class="key" value=" M "></TD>"

But it is Stored on the PC. So I send a code - big deal - they map it. I just need to store the mapping (ie the page source extract) and the form.

Maybe I have been doing this too long and am finding these things too easy, but come on!

Craig

To craig Dean Procter -- 03/03/06 (in reply to #120130072)

They are only aiming it at the sheep and in Australia we have 30 million wearing wool,and 19 million wearing nylon, with a few wolves in sheeps clothing.
We all know that anything which relies on the user to secure their machine is totally useless.
I am fairly secure but even I know that there is someone looking at my screen from time to time, and the mouse has to move even if they can't see it they can map it. I hope they paid those geniuses a lot because it just means I'm going to get paid a whole lot more.

Bad security Anonymous -- 02/03/06

Firstly, to all those people that access internet banking from work, and worse yet, from an internet cafe, then you really shouldnt be commenting on security as that is the worst thing you can do. You should ONLY use internet banking from a PC you have control over, such as one from home. End of story.

Secondly, I agree that this move by Westpac has actually made their internet banking less secure.

Not as safe as ours. Dean Procter -- 03/03/06

It's another 'only a matter of time and proliferation'. The problem is that it is still possible to remotely defeat and you are relying on the consumer to make sure their PC is secure...wishful thinking, most of them only know how to turn them on. You need our system which is impossible to defeat with any penetration of the computer. The weak point is always the user.
The bad guys can look over my shoulder and still have zero chance of making a transaction. That's real security. Anyone with a big wad of cash ready to bet they can beat my system is welcome to apply.
We all know that this stuff is lame because they won't guarantee it. I will.

Random PIN Number Entry Anonymous -- 07/03/06 (in reply to #120130151)

The best way of defeating key logging is to only provide a random portion of your number on login

i.e. You receive a ten digit code, but everytime you login you're only asked for 4-5 of the digits. Along the lines of "enter the 6th digit of your code" etc, etc. This defeats key logging, because they only receive a partial PIN code and the next login time it could be different key positions (or at least some). Also unless they can capture the screen question a logger has no way of knowing what position the key you enter is in your actual PIN.

I can just see the oldies... Dean Procter -- 03/03/06

Why don't they make it jump up and down and change the order of the keys randomly or better still get everyone to buy an eyeball scanner....what a crock this sort of thing is. I'm selling my Westpac shares, the lights might be on but there's obviously no-one at home. I've been in the business 30 years and I obviously should have spoken up sooner, this is a joke. The real criminals are the ones flogging this sort of rubbish.

I bet you can't call him Dean Procter -- 03/03/06

The best security in banks is used to protect their amateur security 'experts' from criticism. Send me your email address Paul and I'll let you see some real security.
You'll have to bring cash though because I wouldn't trust Westpac with my money. I know of several of your clients who were ripped, got new accounts and addresses only to be ripped again and they don't even bank online.

To Dean Craig S Wright -- 06/03/06 (in reply to #120130154)

I know I can't I have been trying.
Took 12 minutes to write my own keystrone logger/click logger for this. Just shows that I am out of practice coding.

Fighting Keystroke Loggers A.C. -- 05/03/06

I get worried about this when I log in from an internet cafe, so I always type nonsense within my password, and then move the cursor with the mouse to delete it. As far as I'm aware keystroke loggers can't follow the movement of the mouse.

They can on westpac Craig S Wright -- 06/03/06 (in reply to #120130203)

Westpac uses a java script coded algorithim to do this. If you look at the page source you will see that an attacker needs to capture the form info.

Westpac will state that they randomise this - but the algoritim for this is all on the page...

It's a step backward Anonymous -- 06/03/06

Use Puppy Linux Boot CD.
Australian, free, 63 mg download,
burn ISO fle, saves 2 cd, DVD,usb,
has its own firewall, brilliantly fast,
safe banking, great performance on
old computers, and I mean old.
http://www.goosee.com/puppy/index.html
I recommend version 1.07 to try

Westpac Security Joy Stevens -- 06/03/06 (in reply to #120130263)

I'm a very senior lady who relies on Internet Banking as I can't leave the house. Currently I use Netbank, ING, AMP Banking & Westpac. They are all "just" satisfactory but Westpac has recently taken a backward step. The mouse input is very slow and if they must use this method the keypad has to be a moving one similar to ING.
I have an RSA SecurID but unfortunately this is only used when you wish to withdraw an amount higher than daily limit. Westpac should issue these tokens to everyone using internet banking so that they can be used for initial logon. The small fee we pay is worth it for the peace of mind.
Harking back to ING, although their keypad moves, they need to instigate something more sophisticated than a four digit (numerals only) password.
AMP have a twelve digit customer number and a six digit password which must be an alpha/numeric mix.

NAB had this and thankfully they dropped it Anonymous -- 06/03/06

NAB had this years ago and it was totally crap, and I was always paranoid logging in to ensure that nobody was watching... thankfully they got rid of it.

Their tripple layer security is much better, unlock your web password via phone banking, use your password to log in, and enter an SMS code sent to your mobile to authorise any payments.

Nothing much better and more user friendly than this at the moment IMHO

Re: NAB had this and thankfully they dropped it Nick Sloan -- 07/03/06 (in reply to #120130297)

Good when your in the country but a pain in the A* if your outside.

Security Device Andrew Smith -- 14/03/06

HSBC give their users an security device that generates a random 6 digit keycode which must be used in conjunction with your username and password. As far as I know, this greatly increases the security for users

westpac is terrible Anonymous -- 04/09/07 (in reply to #120130932)

Westpac is just terrible, thanks to their ongoing cutbacks their branches are declining in number, the amount of tellers in each bank is declining and customers have to wait sometimes up to 20 minutes in long lines just to bank a cheque (like i did in their strathfield office), their cut backs are diluting their services to the point they are completely degraded.

In the branches they encourage customers to use their online banking but just like the branches that is terrible too - its often down for many hours at a time, every week!!

It seems like the profit hungry westpac can justify their ongoing cut backs and resulting poor service becuase they feel that their customer are ignorant fools who are more than happy to endure 'their cattle class treatment'.

I am going to a credit union !

Give users more options Sue White -- 17/05/08

Give customer more control over how account is accessed:

1. Optional: How about a Scatchy Card, that has grid A-Z and 0-9. Each cell has a code. When ever you need to transfer money, it asks for you to scatch the cell and give it the number under it.

2. Optional: To have a list of valid accounts that are allowed to have money transfered into them. This could allow you to transfer into an account, OR could also specify COUNTRY locks. Useful for transfering money to mum or to yourself when overseas. Also option of specific bank locks, example it refuses transfers to banks that are not westpac or nab.

3. Optional: "Limit per day", how about also a limit per month, or a limit number of transactions a month.

4. Optional: An email is sent automatically to your selected email account when money is transfered. You can tailor how the email appears. Can tell you amount or not say. you choose. You can have it say "Hello from Mars". ANother option would be an SMS to your mobile saying "Thanks for transfer" (but charge customer $1 for the option).

5. Time of day limits. Only allow transfers within specific times. Perhaps could specify that account locks if attempt to transfer outside of permitted times. Also permitted days of month/week. This timing details could be hidden or editable (if use master code).

6.........other options.....

Add your opinion

Latest Videos

Play now

Telstra shareholders fear break up
What do Telstra shareholders think of the telco's new CEO David Thodey? And would they support the government'… Watch it now
Play now

The Change Program changes its Agenda
What happens when you change the agenda of the ATO's Change Program, or program in some changes to the Agenda?… Watch it now
Play now

Microsoft's Tracey Fellows on Windows 7
After the launch of Windows 7 last week, ZDNet.com.au spoke briefly with Microsoft Australia and New Zealand M… Watch it now
More videos »

Blogs

Has New Zealand's smiling assassin delivered?
One year into its tenure, how has the new New Zealand Government performed on issues of technology and telecommunications?
The long-awaited separation of Telstra
Blessed is he who shepherds the weak through the valley of Telstra, for he is truly his brother's keeper and the finder of lost DSLAMs.
Google open-sources JavaScript tools
Google announced overnight the release and open-sourcing of a trio of tools designed to help JavaScript developers.
More blogs »

Reader Services

Essentials

Broadband Plan Finder
Not sure which broadband plan to choose? Try our Broadband Plan Finder.
Best laptops
Check out the best laptops here!
Mobile Phone Plan Finder
Pick the best mobile phone plan deal with our Mobile Phone Plan Finder.
Broadband speedtest
How fast is your Internet connection? Calculate the speed here.

News > Security